I have a user that has had their device locked and password reset on 2 different occasions. I am trying to figure out if there is some type of event logged in one of the BES logs when an administrator sends the command to lock the device and reset password. I have poured over the logs but everything is pretty generic and somewhat cryptic. I am unable to determine exactly when this command is being issued. I would appreciate any help on this.

They receive the message "Administrator has reset your password". With me being the only admin and not having sent the command to the device, it has me baffled atm. I have looked through the logs and have found nothing so far.

OTA password resets are recorded in the Policy log and you'll see an entry as below. Note that the user ID is erroneous. It isn't the ID of the user having their p/w reset and it isn't the ID of the Administrator doing the reset. The user ID in the policy log will be different as there is a different User-ID table for the policy service. RIM publish a script you can run against the database that will allegedly return the required information. Search for KB19251.

FWIW, I've seen this, and don't think the command is actually being sent from the BES. Mostly older Curve devices. Seems to happen to many of them right after we apply the IT policy that forces a password in the first place.